Author: Jacob Appelbaum Date: To: The Tails public development discussion list Subject: Re: [Tails-dev] Fwd: Re: Reducing attack surface of kernel and
tightening firewall/sysctls
On 2/14/16, intrigeri <intrigeri@???> wrote: > Jacob Appelbaum wrote (14 Feb 2016 13:04:58 GMT) :
>> I feel a bit sad to see this rehashed. Please just drop all packets on
>> the floor?
>
>> People who use Tails and expect it to keep them safely torified are
>> likely still vulnerable to things we wrote in our paper (vpwned).
>> Allowing users by default to make non-tor connections, except for
>> specific pluggable transports or dhcp, will probably ensure that
>> variations on the disclosed issues stay relevant.
>
>> If a user wants to use a printer or touch the local subnet, why not
>> make them jump through a (`sudo unsafe-network-unlock`) hoop? Why
>> leave every other user vulnerable by default?
>
> I think you're confusing this thread with another one,
> that is totally orthogonal as I see it.
>
I was specifically replying to this bit:
>> A conservative change to the tails config would be to keep an RELATED
>> rule but limit it to known good ICMP messages.
It seems odd to call that a conservative change, also.
